This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 711bd888cd Refactor FormAuthenticator to remove code duplication
711bd888cd is described below
commit 711bd888cd98d5453b75471dd33d508d7a0e8f46
Author: Dimitris Soumis <[email protected]>
AuthorDate: Mon Jan 19 15:26:23 2026 +0200
Refactor FormAuthenticator to remove code duplication
---
.../catalina/authenticator/FormAuthenticator.java | 38 +++++++++++-----------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 0d40a2d045..80a364855c 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -362,15 +362,7 @@ public class FormAuthenticator extends AuthenticatorBase {
// a resource is protected for some HTTP methods but not protected for
// GET which is used after authentication when redirecting to the
// protected resource.
- // TODO: This is similar to the FormAuthenticator.matchRequest() logic
- // Is there a way to remove the duplication?
- Session session = request.getSessionInternal(false);
- if (session != null) {
- SavedRequest savedRequest = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
- return savedRequest != null &&
decodedRequestURI.equals(savedRequest.getDecodedRequestURI());
- }
-
- return false;
+ return matchRequest(request, false);
}
@@ -504,15 +496,21 @@ public class FormAuthenticator extends AuthenticatorBase {
}
+ protected boolean matchRequest(Request request) {
+ return matchRequest(request, true);
+ }
+
/**
* Does this request match the saved one (so that it must be the redirect
we signaled after successful
* authentication?)
*
* @param request The request to be verified
+ * @param strict <code>true</code> to check for a valid Principal and
valid Session ID, <code>false</code> to only
+ * check for a valid saved request and matching URI
*
* @return <code>true</code> if the requests matched the saved one
*/
- protected boolean matchRequest(Request request) {
+ protected boolean matchRequest(Request request, boolean strict) {
// Has a session been created?
Session session = request.getSessionInternal(false);
if (session == null) {
@@ -525,17 +523,19 @@ public class FormAuthenticator extends AuthenticatorBase {
return false;
}
- // Is there a saved principal?
- if (cache && session.getPrincipal() == null || !cache &&
request.getPrincipal() == null) {
- return false;
- }
-
- // Does session id match?
- if (getChangeSessionIdOnAuthentication()) {
- String expectedSessionId = (String)
session.getNote(Constants.SESSION_ID_NOTE);
- if (expectedSessionId == null ||
!expectedSessionId.equals(request.getRequestedSessionId())) {
+ if (strict) {
+ // Is there a saved principal?
+ if (cache && session.getPrincipal() == null || !cache &&
request.getPrincipal() == null) {
return false;
}
+
+ // Does session id match?
+ if (getChangeSessionIdOnAuthentication()) {
+ String expectedSessionId = (String)
session.getNote(Constants.SESSION_ID_NOTE);
+ if (expectedSessionId == null ||
!expectedSessionId.equals(request.getRequestedSessionId())) {
+ return false;
+ }
+ }
}
// Does the request URI match?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
